Several of the most popular antivirus products contain vulnerabilities that can be exploited locally or remotely, a security researcher revealed at the SyScan 360 security conference in Beijing earlier this month.
Joxean Koret, a researcher at Singapore-based security company Coseinc, tested roughly 17 antivirus engines, 14 of which have been found to be vulnerable, including ones from Avast, AVG, Avira, Bitdefender, ClaimAV, Comodo, Dr.Web, ESET, Ikarus eScan, F-Secure, Sophos, Bkav and Panda Security.
Koret pointed out several factors that make antivirus engines more vulnerable, including the fact that they’re mostly written in C and C++, which leads to buffer and integer overflows; they run with root privileges, which means an attacker could gain the highest privileges if he can find an exploit; they support a large number of file formats, which results in bugs in the parsers; and updates are performed via HTTP, which leaves them exposed to man-in-the-middle (MitM) attacks.
Antivirus software in general doesn’t properly protect computers against sophisticated attackers. On the contrary, in some cases it increases the attack surface and it can even lower operating system protections, making users even more vulnerable, the expert argued.
The researcher found vulnerabilities through the software testing technique called fuzzing, and by performing basic local and remote checks of the updating protocol, network services, address space layout randomization (ASLR), and access control lists.
The list of identified security holes includes a heap overflow in Avast, a heap overflow in AVG, multiple remote vulnerabilities in Avira, Bitdefender and Dr.Web, a heap overflow in Comodo, an integer overflow in ESET, multiple local privilege escalations in Panda, and multiple command injections in eScan, the expert revealed in his presentation.
Exploiting these vulnerabilities can be done just like on other client-side applications, the expert said. In a common antivirus engine exploitation scenario described by Koret, the attacker compresses several files inside an archive. When the archive is scanned, the antivirus unpacks the compressed files and scans each of them. The first file in the archive can be set up to force the emulator to be loaded and used, while the second file contains the real exploit.
Some of the flaws found by Koret have been addressed, but some of them remain unfixed. The expert has only reported his findings to Avast, because the company has a bug bounty program, ClaimAV, because their antivirus is open source, Panda, because he has “friends” there, and Ikarus, ESET and F-Secure, because they contacted him and “asked for help nicely.”
Ondrej Vlcek, chief operating officer at Avast, has confirmed that the issues reported to the company have been fixed.
“There are always bugs in software. At AVAST, we do as much as we can to find our bugs and fix them. We are the only consumer security company to have introduced a bug bounty. Our bug bounty program offers an incentive to our users if they report bugs to us. In his presentation, Joxean Koret actually praised this strategy, claiming that the bug bounty was the only reason why he reported the bugs in the first place,” Vlcek told SecurityWeek.
Panda Security representatives have told SecurityWeek that Koret, who previously worked at PandaLabs, informed the company of his findings in the Panda Global Protection 2013 product. According to PandaLabs Technical Director Luis Corrons, the flaws have been fixed.
As far as the other vendors are concerned, the researcher says he doesn’t contact “irresponsible multi-million dollar companies,” and urges them to audit their products.
Bitdefender, whose antivirus engine is used by several other companies, has been working on fixing these and other vulnerabilities plaguing its products.
“We have been aware of Mr. Koret’s findings since he published his presentation, having had no prior contact, as Mr. Koret does not believe in responsible disclosure. We have fixed the bugs which he has published proof of concept exploits for, within days of publication,” Bitdefender said.
“Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA processes which should result in far sturdier code and prevent similar situations in the future. We are still not in possession of the list of alleged bugs found by Mr. Koret, so we cannot tell if we have fixed them all, or, indeed, even if they are all reproducible.”
After Koret tweeted some of his findings, ESET proactively contacted him to learn more about the issue, Jakub Debski, Head of Core Technology Development at ESET, told SecurityWeek. “ESET resolved the problem and published an update in less than three daysm,” Debski said. “ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues. While we do everything possible to ensure that products are fault free, sadly no software is perfect.”